1

I have understood that Trusted boot and Kernel Patch Protection (or PatchGuard) are ways that Windows uses to protect itself from rootkit infections. But I cannot find a comparison of these two protection methods. I'm not looking for a detailed technical comparison, but just for a simple conceptual comparison.

I assume that Kernel Patch Protection protects only the integrity of the kernel and system files, while Trusted boot does the same thing, but Trusted boot is also a part of Secure boot which protects also the bootloader (one level higher). Am I wrong? Are there other important differences? And does that mean that Trusted boot is actually a replacement for Kernel Path Protection or just a different name for it?

Another point I am not sure about is that Kernel Patch Protection is available only on 64 bit Windows systems, but what is with Secure/Trusted boot? Is it available also on 32 bit Windows systems?

Anders
  • 64,406
  • 24
  • 178
  • 215
pineappleman
  • 2,279
  • 11
  • 21
  • My (wild) guess: Secure / Trusted boot protects you until Windows is loaded so far that Kernel Patch Protection can take over. – SEJPM Mar 08 '16 at 14:30

2 Answers2

1

Question 1:

Kernel Path Protection is focused on the the protection of the Kernel, this means that device drivers cannot modify anything related with the Kernel. If Kernel Path Protection is enabled, you have lower chance of getting any BSoD or that rootkits will be nested into the kernel.

Trusted Boot is more focused on the software that is trusted by the manufacture. So no other programs will be started, like malware.

Both are 2 different kind of methods to protect the system.

Question 2:

Secure/trusted boot is on every system available.

Hopefully I have answered your question.

Community
  • 1
mike-stokkel
  • 189
  • 4
1

I'd say Kernel Patch Protection is not specifically aimed at malicious code like rootkit but rather legitimate yet poorly-designed drivers. Before such protection, some special kernel drivers, like those used by anti-virus software, routinely overwrite kernel data structures or even code in order to hook (intercept) kernel routines. This kind of behaviour is unsupported and often leads to conflicts and BSoDs. (Which is why people are told to not install more than one anti-virus.) Kernel Patch Protection does not directly stop such modification, but instead make the system crash when such modification is later detected, forcing makers of the software to use other techniques.

Malicious code that has gained kernel privilege can easily operate without ever triggering this Protection. In addition, since the protection code is passive (not actively rejected modifcation) and only has the same level of access as other kernel code, it can be disabled by a determined attacker.

Secure Boot on the other hand uses hardware features to prevent unauthorised code from running during the boot process. If implemented properly, it will provide total protection until user land is loaded (where any code can run with an admin user's blessing). The concept may receive some enhancements, but it is unlikely that it can be replaced with something better.

Secure Boot is available on 32 bit Windows provided you install the UEFI version.

billc.cn
  • 3,852
  • 1
  • 16
  • 24